CVE-2022-41343

Name of the Vulnerable Software and Affected Versions Dompdf versions prior to 2.0.1

Description The issue allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule. This is related to the registerFont function in FontMetrics.php.

Recommendations For versions prior to 2.0.1, update to version 2.0.1 or later to resolve the issue. As a temporary workaround, consider disabling the registerFont function in FontMetrics.php to prevent remote file inclusion until a patch is applied. Restrict access to the FontMetrics.php file to minimize the risk of exploitation. Avoid using the @font-face rule in affected API endpoints until the issue is resolved.